_PUBLIC_ struct tsocket_address *socket_address_to_tsocket_address(TALLOC_CTX *mem_ctx,
const struct socket_address *a)
{
struct tsocket_address *r;
int ret;
if (!a) {
return NULL;
}
if (a->sockaddr) {
ret = tsocket_address_bsd_from_sockaddr(mem_ctx,
a->sockaddr,
a->sockaddrlen,
&r);
} else {
ret = tsocket_address_inet_from_strings(mem_ctx,
a->family,
a->addr,
a->port,
&r);
}
if (ret != 0) {
return NULL;
}
return r;
}
static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
hdb_entry_ex *entry,
struct sockaddr *from_addr,
const char *original_client_name,
const char *auth_type,
int hdb_auth_status)
{
struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
/*
* Forcing this via the NTLM auth structure is not ideal, but
* it is the most practical option right now, and ensures the
* logs are consistent, even if some elements are always NULL.
*/
struct auth_usersupplied_info ui = {
.mapped_state = true,
.was_mapped = true,
.client = {
.account_name = original_client_name,
.domain_name = NULL,
},
.service_description = "Kerberos KDC",
.auth_description = "ENC-TS Pre-authentication",
.password_type = auth_type
};
size_t sa_socklen = 0;
switch (from_addr->sa_family) {
case AF_INET:
sa_socklen = sizeof(struct sockaddr_in);
break;
#ifdef HAVE_IPV6
case AF_INET6:
sa_socklen = sizeof(struct sockaddr_in6);
break;
#endif
}
switch (hdb_auth_status) {
case HDB_AUTHZ_SUCCESS:
{
struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
struct samba_kdc_entry);
/*
* TODO: We could log the AS-REQ authorization success here as
* well. However before we do that, we need to pass
* in the PAC here or re-calculate it.
*/
authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
domain_dn, true);
break;
}
case HDB_AUTH_INVALID_SIGNATURE:
break;
case HDB_AUTH_CORRECT_PASSWORD:
case HDB_AUTH_WRONG_PASSWORD:
{
TALLOC_CTX *frame = talloc_stackframe();
struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
struct samba_kdc_entry);
struct dom_sid *sid
= samdb_result_dom_sid(frame, p->msg, "objectSid");
const char *account_name
= ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
struct tsocket_address *remote_host;
NTSTATUS status;
int ret;
if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
status = NT_STATUS_WRONG_PASSWORD;
} else {
status = NT_STATUS_OK;
}
ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
sa_socklen,
&remote_host);
if (ret != 0) {
ui.remote_host = NULL;
} else {
ui.remote_host = remote_host;
}
ui.mapped.account_name = account_name;
ui.mapped.domain_name = domain_name;
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
&ui,
status,
domain_name,
account_name,
NULL,
sid);
TALLOC_FREE(frame);
break;
}
case HDB_AUTH_CLIENT_UNKNOWN:
{
struct tsocket_address *remote_host;
int ret;
TALLOC_CTX *frame = talloc_stackframe();
ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
sa_socklen,
&remote_host);
if (ret != 0) {
ui.remote_host = NULL;
} else {
ui.remote_host = remote_host;
}
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
&ui,
NT_STATUS_NO_SUCH_USER,
NULL, NULL,
NULL, NULL);
TALLOC_FREE(frame);
break;
}
}
return 0;
}
/*
called when we get a new connection
*/
static void kdc_tcp_accept(struct stream_connection *conn)
{
struct kdc_socket *kdc_socket = talloc_get_type(conn->private_data, struct kdc_socket);
struct kdc_tcp_connection *kdcconn;
struct socket_address *src_addr;
struct socket_address *my_addr;
int ret;
kdcconn = talloc_zero(conn, struct kdc_tcp_connection);
if (!kdcconn) {
stream_terminate_connection(conn, "kdc_tcp_accept: out of memory");
return;
}
kdcconn->conn = conn;
kdcconn->kdc_socket = kdc_socket;
conn->private_data = kdcconn;
src_addr = socket_get_peer_addr(kdcconn->conn->socket, kdcconn);
if (!src_addr) {
kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_accept: out of memory");
return;
}
my_addr = socket_get_my_addr(kdcconn->conn->socket, kdcconn);
if (!my_addr) {
kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_accept: out of memory");
return;
}
ret = tsocket_address_bsd_from_sockaddr(kdcconn,
src_addr->sockaddr,
src_addr->sockaddrlen,
&kdcconn->remote_address);
if (ret < 0) {
kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_accept: out of memory");
return;
}
ret = tsocket_address_bsd_from_sockaddr(kdcconn,
my_addr->sockaddr,
my_addr->sockaddrlen,
&kdcconn->local_address);
if (ret < 0) {
kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_accept: out of memory");
return;
}
TALLOC_FREE(src_addr);
TALLOC_FREE(my_addr);
kdcconn->packet = packet_init(kdcconn);
if (kdcconn->packet == NULL) {
kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_accept: out of memory");
return;
}
packet_set_private(kdcconn->packet, kdcconn);
packet_set_socket(kdcconn->packet, conn->socket);
packet_set_callback(kdcconn->packet, kdc_tcp_recv);
packet_set_full_request(kdcconn->packet, packet_full_request_u32);
packet_set_error_handler(kdcconn->packet, kdc_tcp_recv_error);
packet_set_event_context(kdcconn->packet, conn->event.ctx);
packet_set_fde(kdcconn->packet, conn->event.fde);
packet_set_serialise(kdcconn->packet);
}
